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The Chief Executive 
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Dear Sir/Madam, 


FATE Risk-Based Approach Guidance for the Banking Sector and 
Money Laundering and Terrorist Financing Risk Assessment 


I am writing to inform you that the Financial Action Task Force on Money Laundering 
(FATF) published on 27 October 2014 “Risk-Based Approach Guidance for the Banking 
Sector” (the Guidance). We are also taking this opportunity to clarify the expectations of 
the Hong Kong Monetary Authority (HKMA) over authorized institutions’ (AIs’) 
assessment of money laundering and terrorist financing (ML/TF) risks. 


FATF Risk-Based Approach Guidance for the Banking Sector 





The Guidance outlines the principles involved in applying a risk-based approach (RBA) to 
anti-money laundering and counter-terrorist financing (AML/CFT) and addresses 
countries, their competent authorities and the banking sector. Your specific attention is 
drawn to section I which sets out the key elements of an RBA and section MI which 
provides specific guidance to banks on the effective implementation of an RBA. Above 
all, the Guidance supports the development of a common understanding of what the RBA 
to AML/CFT entails, which includes the expectation that Als should identify, assess and 
understand the ML/TF risks to which they are exposed and take AML/CFT measures 
commensurate to those risks in order to mitigate them effectively. 


This Guidance should be read in conjunction with the guidance paper issued by the Basel 
Committee on Banking Supervision, “Sound Management of Risks Related to Money 
Laundering and Financing of Terrorism”, which was circulated to Als on 10 February 
2014. The principles outlined in both documents will greatly assist Als in the design and 
implementation of effective AML/CFT systems’. 


See paragraph 2.1 of the Guideline on Anti-Money Laundering and Counter-Terrorist Financing (for 
Authorized Institutions) (AMLO Guideline), also referred to as AML/CFT program 
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Website: www.hkma.gov.hk 


While the HKMA will have regard to this Guidance during future review of local legal 
and regulatory AML/CFT requirements, in the meantime, Als are encouraged to review 
the Guidance in the context of, and assess the implications for, enhancing their AML/CFT 
control frameworks. The Guidance is available on the FATF’s website 
(http://www. fatf-gafi.org/media/fatf/documents/reports/Risk-Based-Approach-Banking-S 


ector.pdf). 





ML/TE Risk Assessment 





Central to the proper application of an RBA to AML/CFT is the expectation that Als 
should identify, assess and understand the ML/TF risks to which they are exposed. The 
HKMA has made this an increasing focus of its recent AML/CFT supervision and 
provided guidance in two recent AML/CFT seminars’. 


Als should conduct ML/TF risk assessment at both the institutional and customer levels. 
While the requirements of risk assessment at customer level have been articulated in the 
AMLO Guideline®, the following paragraphs further clarify the expectations of the 
HKMaA over Als’ institutional assessments of their ML/TF risks. 


(i) Why are institutional ML/TF risk assessments so important? 


The ML/TF risk assessment forms the basis for the RBA, enabling the AI to 
understand how, and to what extent it is vulnerable to ML/TF, deciding the most 
appropriate and effective way to mitigate the identified risks, and the way to manage 
any resulting residual risk according to the APs risk appetite. The successful 
implementation and effective operation of an RBA to AML/CFT hinges on strong 
senior management leadership and oversight of the development and implementation 
of the RBA across the AI. Senior management should not only know about the 
ML/TF risks to which the AI is exposed, but also understand how its AML/CFT 
control framework operates to mitigate those risks. 


(ii) What steps should AIs take? 


While many Als may already have ML/TF risk assessments in place, we would like to 
reiterate that all Als should take appropriate steps to identify, assess and understand 
their ML/TF risks in relation to (1) their customers; (2) the countries or jurisdictions 
their customers are from or in; (3) the countries or jurisdictions the Als have 
operations in; and (4) the products, services, transactions and delivery channels of the 
Als. In practice, our expectation will be that the AI has: 


(a) documented the risk assessment process which includes the identification and 
assessment of relevant risks, supported by qualitative and quantitative analysis 
and information obtained from relevant internal and external sources; 





Please refer to HKMA circulars dated 2 May and 13 August 2014 
Reference should also be made to Chapter 3 of the AMLO Guideline 


(b) considered all the relevant risks factors4 before determining what the level of 
overall risk is and the appropriate level and type of mitigation to be applied; 

(c) obtained the approval of senior management on the assessment results; 

(d) aprocess by which the risk assessment is kept up-to-date; and 

(e) appropriate mechanisms to provide its risk assessment to the HKMA when 
required to do so. 


(iii) Complexity 


The risk assessment should be commensurate with the nature and size of the APs 
business: 


(a) For larger or complex Als (e.g. where Als offer a variety of products and 
services across multiple branches or subsidiaries, locally or overseas), a 
comprehensive risk assessment is required. 

(b) For smaller or less complex Als (e.g. where vast majority of the Als’ customers 
fall into similar categories and/or where the range of products and services 
provided are very limited), a less sophisticated ML/TF risk assessment may 
suffice. 


(iv) Overseas operations 


If an AI is a part of a banking group (e.g. a foreign bank branch set up in Hong Kong) 
and a group-wide or regional risk assessment has been conducted, it may make 
reference to or rely on those assessments provided that the assessments adequately 
reflect ML/TF risks posed to the AI in the local context. 


Similarly, a locally-incorporated AI with overseas branches or subsidiary 
undertakings should perform a group-wide ML/TF risk assessment”. 


Should you require further information, please contact Ms Sophia Lam on 2878 1356 or 
Mr Gavin Cheung on 2878 8305. 


Yours faithfully, 


Henry Cheng 
Executive Director (Banking Supervision) 


Reference should also be made to Chapter 2 of the AMLO Guideline 

As reflects the requirements set out in section 22 of Schedule 2 to the Anti-Money Laundering and 
Counter-Terrorist Financing (Financial Institutions) Ordinance, Cap.615 and Chapter 2 of the AMLO 
Guideline. 


